Hacking a Pacemaker

jonkman sean writes "University researchers conducted research into how they can gain wireless access to pacemakers, hacking them. They will be presenting their findings at the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy. Their previous work (PDF) noted that over 250,000 implantable cardiac defibrillators are installed in patients each year. This subject was first raised along with similar issues as a credible security risk in Gadi Evron's CCC Camp 2007 lecture "hacking the bionic man"."

Bionic eye

[sm62704]

I'm sure glad the device in my eye (see my sig for details) is focused by the eye's muscles rather than electronics/motors. Some things shouldn't be networkable.

Oh yeah, the oblig: We are cyborg. You will be assimilated. resistance is not only futile but you won't resist, you'll beg to join us..

remote kill?

[Anonymous Coward]

does this mean that someone can eventually kill people remotely?

Re:Bionic eye

[Anonymous Coward]

pacemakers aren't "networked" but are programmable, usually through a short range (touching the skin) transmitter. Need to be able to change the strength and trip thresholds without doing new surgery. Apparently, they need to add encryption/passkeys to the devices if they haven't already.

So they can crack RSA and then get the pacemaker?

[dbIII]

RSA encryption is used in these devices. There certainly is a lot of techofear journalism about lately.

Re:remote kill?

[Snowgen]

does this mean that someone can eventually kill people remotely?

The technology for that already exists; it's called a "gun". It replaced an older technology called an "arrow", which in turn was the replacement for an even older technology called the "javelin". There was also an older technology called a "sling" which was a peripheral device designed to increase the effectiveness of the original technology call the "rock".

People have been remotely killing other people for millions of years.

A better method

[yamamushi]

The article details how the researchers had to be within 2 inches of the pacemaker, and several thousands of dollars worth of equipment. I suspect there is an easier way to deactivate a pacemaker, find out what frequency they operate at. I've got an FM radio blocker, that is basically just a 100mhz oscillator, a potentiometer, and a battery. It works by canceling out a given frequency, thus letting me silence my neighbors stereo from 50ft away. I know the technique works for the 2.4ghz band, for blocking out wireless phone signals and whatnot. I suppose finding an oscillator in the high ghz range would suffice for 'killing' a pacemaker.

Re:Bionic eye

[sm62704]

I would think the safest thing would be to have to physically interface with it to program any electronics in it. Once they've sewn one into my chest (thank God heart disease doesn't run in my family) I wouldn't want it to be programmable!

It's not that bad

[Anonymous Coward]

(Posting this as AC since I don't want to get in trouble).

I think the summary is more alarming than the actual article. The researchers had to be at two inches from the device in order to tamper with it.

It's probably not such a big deal now, but some more thought should definitely go into future products. 30000$ sound like much, but it certainly sounds like a bargain if you can kill the Vice President of the USA without even touching him.

I mean, imagine the following scenario:

1. Bad guys want to kill Cheney. That seems quite plausible.

2. They find out the exact model of his pacemaker. That sounds feasible with some knowledge of the field, money, time and determination.

3. They buy one and hire some researchers to crack it and to create an automated system which is portable and works reliably. Say, a laptop with some transmitter attached or something similar. This is quite hard, but should be feasible as well with enough money and time.

4. The researchers manage to increase the range from 2 inches to 20 inches. This is probably the hardest part.

5. The bad guys put the laptop in a briefcase, wires running up the sleeve and the transmitter in the other sleeve (close to the hand). This is easy.

6. Now they just have to get close enough to Cheney. I have no idea about how hard this is.

7. He has a "heart attack". Bodyguards/security come running and push all the people away. People go away because they don't want trouble, including the guy with the briefcase. I think this is quite realistic.

8. Cheney dies. Maybe they find out that the pacemaker was tampered with, maybe not. If not, the plan worked out perfectly. If yes, they will have some video on a security camera showing the bad guy, who is in another country by now. Maybe they catch him, maybe not.

This sounds pretty far fetched (and it is), but it could be possible with some minor advances. So some more thought should go into these devices.

Pacemakers have batteries which have enough power to supply some encryption hardware. What should be done to prevent this scenario is something like this:

1. Create a key pair for every pacemaker. The public key is on the pacemaker, the private key gets printed on a 2d barcode on a piece of plastic. The patient gets the barcode which he carries in his wallet. The patient's doctor/hospital also gets a barcode.

2. The devices used to communicate with the pacemaker have a slot for the barcode.

3. The pacemaker ignores any request not signed with the private key. Problem solved!

Re:Bionic eye

[Misagon]

Some things shouldn't be networkable.

Not networkable. A pacemaker communicates only with the diagnostic equipment.
Pacemakers are [i]implanted[/i] under the skin. The only way to interface with them is through induction or radio signals. The signals have ranges measured in centimeters.

Re:Don't fear.... much

[TheRealMindChild]

Similarly the argument that it took $30,000 worth of equipment and a 'team of experts' is retarded because the same might probably have been said about DVD encryption till an adolescent did it in his bedroom with his home computer and enough caffeine.

Not only that, but let's say the President of the United States has a pacemaker... $30000 is pittance for someone who wants him dead.

Re:So they can crack RSA and then get the pacemake

[frog_strat]

Working on the communications software for one of these devices, I can say for sure there is no encryption on at least one of them. A decision was made by the company to not worry about this issue at the moment.

Re:Bionic eye

[Ihlosi]

I want them to get the pacing rate right BEFORE they sew it in.

Finding out which settings you like or don't like unfortunately involves putting a pacemaker into you first. Of course, you could go with a completely dumb device, but your heart would be paced too fast when you're asleep and too slow when you're physically active.

Re:Don't fear.... much

[MMC Monster]

Recent models of pacemakers and defibrillators from the major companies (Guidant, Medtronic, etc.) allow remote telemetry from home: You have a device sitting on a table next to the patient's bed which will check the device every night (or one night a week, etc.) and report back to the physician any abnormalities. Some also allow wireless programability, but not from home: The nurse waves the wand over the device, then the patient goes in another room and gets seen by the physician while the settings on the device are changed. The range is less than 50 feet, based on personal experience. Now, this can theoretically be done from home (if someone has the right device), and you can make changes without any passwords.

Before you ask, you should *not* start passwords-protecting these devices, as you may have a patient traveling and rendered unconscious and need to make setting changes and not have time (or ability) to call the manufacturer.

When my pacemaker is tested

[InterGuru]

Every six months my pacemaker is checked. Part of the test is to speed and slow down the pacemaker and my heart for a short time.

It is a truly heartfelt experience.

Bookwormhole.net [bookwormhole.net] -- a site for book lovers.

Re:Bionic eye

[darkfire5252]

Yes, I want it to be programmable. But I want the designer to keep in mind that it's my life at stake. We know how to do these things securely.

Public-Private Key cryptography. The manufacturer has a public key, and it's embedded into the device. The manufacturer's private key is kept secret in the same way as the PKI people do it; there are multiple parties required to do anything to the key, there is armed security 24/7, and the key is treated as if people's lives depend on it because that's the situation. There's a process to go through for a hospital to get certified to update the device. When the hospital certifies a doctor to update the device, the doctor's public key is signed by the manufacturer's private key. The doctor keeps his private key on a smart card that requires a PIN with the full knowledge that people could die if he loses it. Preferably the smart cards are kept under lock and key at the hospital next to the lethal drugs and the morphine. When an update command is done, a specially formatted message is signed by the doctor's private key, and the message is send along with the doctor's certificate (the doctor's public key signed by the manufacturer's private key). If there's no valid certificate or the message format is not correct, no command interpretation takes place. If everything checks out, the command is logged in onboard flash memory and the device updates. If someone's pacemaker is updated in a manner that kills them, there is an audit trail pointing to exactly who's at fault. I don't care how much more expensive it is, particularly when the answer is 'not very.'

People's lives are at stake here, the manufacturers should be held liable and negligible if they aren't using already existing methods that essentially guarantee security.

Ah, the smart-arse non-sequiturs

[Moraelin]

Ah, the smart-arse non-sequiturs. How I missed those. So let's demolish them one by one, then. And maybe then we'll see some actual thought process instead.

Tell you what: Have fun with your dumb fixed-rate 75 bpm pacemaker, but don't expect to be running up any stairs anytime soon.

So basically you're telling me that you have to have an external thing strapped to your chest, full time, for it deal with that? I thought they were programmed by a cardiologist once, and left on their own afterwards.

Because sticking a JTAG connector through someones chest is fairly painful. You're welcome to experiment on yourself to confirm this.

_If_ any model needs it to be done that often, there _are_ ways to have things sticking out of someone's skin (think: dental implants) or have an electrode go out to right under the skin (think: some hearing implants.) So, you know, they require contact or near contact to work at all.

Also, it's not a WiFi interface. It's a short-range (it goes through your chest, and water absorbs radio waves like crazy), custom, wireless interface.

That still doesn't excuse its being an insecure protocol. If the only thing it has going for its security is that it's a custom proprietary protocol, then at best it's "security by obscurity." I.e., an antipattern by any other name.

It basically is, genius. Or do you want it so contact-based that they have to shoot a couple of amps through your chest in order to make the pacemaker respond ? Hint: Think of a vital organ that's very, very close to the pacemaker and reacts very badly to having current shot through it.

Again, there are ways to place electrodes for that, so they don't involve shooting a couple of amps through the chest.

So, basically, to wrap this up: I don't know what your qualifications are, but security is obviously not one of them. You can tell that when someone starts stringing straw men, non-sequiturs and a few other fallacies as why they didn't and shouldn't think about security. Whether it's about pacemakers or "why XSS vulnerabilities are overhyped and inevitable, and you shouldn't ask me to learn to encode strings" types, it's the same basic phenomenon.

At the end of the day, I still don't see why those things shouldn't be more secure. And I still don't see how your arguments have anything to do with security. No, it doesn't have to be fixed rate to be secure. No, you don't need to shoot a few amps through someone's chest. Etc. You just need to spend some time designing and reviewing it for security too, which is where most people fail. In all domains, so I'm not just picking on pacemakers. Pretty much invariably the failure isn't that security is impossible, it's that it didn't occur to anyone to even think (much) about it.

I mean, seriously, it didn't take me more than 5 minutes to think up solutions to those issues you raise, and I'm not even claiming to be the smartest guy around. I'm sure you or the companies manufacturing them too can come up with even better ones. But for that to happen, you have to snap out of the reflex of defending insecure designs as inevitable and impossible to change. You just need to devote some honest thinking and research to security too. That's all.

Or even shorter, as I was saying: it's that fatalism that's the problem. Too many people are too quick to throw both hands up and accept that everything is hackable anyway, rather than even try to do better.

Re:Bionic eye

[bay43270]

Also, your pacing needs change as you grow and as your heart develops. Not all pacemakers go into 70-year-olds.